diff --git a/roundup/rest.py b/roundup/rest.py
index 676060d1..1285e143 100644
--- a/roundup/rest.py
+++ b/roundup/rest.py
@@ -1040,6 +1040,11 @@ def get_roles(self, input):
             raise Unauthorised(
                 'User does not have permission on "user.roles"')
 
+        self.client.setHeader(
+            "Allow",
+            "GET"
+        )
+
         return 200, {"collection":
                      [{"id": rolename,"name": rolename}
                       for rolename in list(self.db.security.role.keys())]}
diff --git a/test/test_liveserver.py b/test/test_liveserver.py
index 51fedde7..b2f2a809 100644
--- a/test/test_liveserver.py
+++ b/test/test_liveserver.py
@@ -684,6 +684,30 @@ def test_rest_endpoint_attribute_options(self):
 
         self.assertEqual(f.status_code, 404)
 
+    def test_rest_endpoint_user_roles(self):
+        # use basic auth for rest endpoint
+        f = requests.get(self.url_base() + '/rest/data/user/roles',
+                         auth=('admin', 'sekrit'),
+                         headers = {'content-type': "",
+                                    'Origin': "http://localhost:9001",
+                         })
+        print(f.status_code)
+        print(f.headers)
+
+        self.assertEqual(f.status_code, 200)
+        expected = { 'Access-Control-Expose-Headers': 'X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Limit-Period, Retry-After, Sunset, Allow',
+                     'Access-Control-Allow-Credentials': 'true',
+                     'Allow': 'GET',
+        }
+        # use dict comprehension to remove fields like date,
+        # content-length etc. from f.headers.
+        self.assertDictEqual({ key: value for (key, value) in f.headers.items() if key in expected }, expected)
+
+        content = json.loads(f.content)
+
+        self.assertEqual(3, len(json.loads(f.content)['data']['collection']))
+
+
     def test_ims(self):
         ''' retreive the user_utils.js file with old and new
             if-modified-since timestamps.